From a231918317062ab0ae04b9c08f11e0a82e5d351a Mon Sep 17 00:00:00 2001
From: Leo Hemsted <leo.hemsted@digital.cabinet-office.gov.uk>
Date: Fri, 3 Nov 2017 16:44:22 +0000
Subject: [PATCH] put secret code in email url token

---
 app/user/rest.py                   | 20 +++++++++++---------
 tests/app/user/test_rest_verify.py |  1 +
 2 files changed, 12 insertions(+), 9 deletions(-)

diff --git a/app/user/rest.py b/app/user/rest.py
index ac220a1d1..2aa2bda3a 100644
--- a/app/user/rest.py
+++ b/app/user/rest.py
@@ -171,10 +171,14 @@ def send_user_email_code(user_id):
     if not user_to_send_to:
         return jsonify({}), 204
 
-    create_user_code(user_to_send_to, str(uuid.uuid4()), EMAIL_TYPE)
+    secret_code = str(uuid.uuid4())
+    create_user_code(user_to_send_to, secret_code, EMAIL_TYPE)
 
     template = dao_get_template_by_id(current_app.config['EMAIL_2FA_TEMPLATE_ID'])
-    personalisation = {'name': user_to_send_to.name, 'url': _create_2fa_url(user_to_send_to, data.get('next'))}
+    personalisation = {
+        'name': user_to_send_to.name,
+        'url': _create_2fa_url(user_to_send_to, secret_code, data.get('next'))
+    }
 
     create_2fa_code(template, user_to_send_to.email_address, personalisation)
 
@@ -243,8 +247,6 @@ def send_user_confirm_new_email(user_id):
 def send_new_user_email_verification(user_id):
     # when registering, we verify all users' email addresses using this function
     user_to_send_to = get_user_by_id(user_id=user_id)
-    secret_code = create_secret_code()
-    create_user_code(user_to_send_to, secret_code, 'email')
 
     template = dao_get_template_by_id(current_app.config['NEW_USER_EMAIL_VERIFICATION_TEMPLATE_ID'])
     service = Service.query.get(current_app.config['NOTIFY_SERVICE_ID'])
@@ -256,7 +258,7 @@ def send_new_user_email_verification(user_id):
         service=service,
         personalisation={
             'name': user_to_send_to.name,
-            'url': _create_verification_url(user_to_send_to, secret_code)
+            'url': _create_verification_url(user_to_send_to)
         },
         notification_type=EMAIL_TYPE,
         api_key_id=None,
@@ -374,8 +376,8 @@ def _create_reset_password_url(email):
     return url_with_token(data, url, current_app.config)
 
 
-def _create_verification_url(user, secret_code):
-    data = json.dumps({'user_id': str(user.id), 'email': user.email_address, 'secret_code': secret_code})
+def _create_verification_url(user):
+    data = json.dumps({'user_id': str(user.id), 'email': user.email_address})
     url = '/verify-email/'
     return url_with_token(data, url, current_app.config)
 
@@ -386,8 +388,8 @@ def _create_confirmation_url(user, email_address):
     return url_with_token(data, url, current_app.config)
 
 
-def _create_2fa_url(user, next_redir):
-    data = json.dumps({'user_id': str(user.id), 'email': user.email_address})
+def _create_2fa_url(user, secret_code, next_redir):
+    data = json.dumps({'user_id': str(user.id), 'secret_code': secret_code})
     url = '/email-auth/'
     ret = url_with_token(data, url, current_app.config)
     if next_redir:
diff --git a/tests/app/user/test_rest_verify.py b/tests/app/user/test_rest_verify.py
index 55ca3c543..a84a1a72a 100644
--- a/tests/app/user/test_rest_verify.py
+++ b/tests/app/user/test_rest_verify.py
@@ -275,6 +275,7 @@ def test_send_new_user_email_verification(client,
         headers=[('Content-Type', 'application/json'), auth_header])
     assert resp.status_code == 204
     notification = Notification.query.first()
+    assert VerifyCode.query.count() == 0
     mocked.assert_called_once_with(([str(notification.id)]), queue="notify-internal-tasks")